Leo Famulari writes: > There's a format string vulnerability (with unknown impact) in our dbus: > > http://seclists.org/oss-sec/2016/q4/85 > > Please read that message and the linked bug report. > > My understanding of the upsream analysis of the format string > vulnerability is that only the bus owner can trigger it. So, if the > vulnerability allows arbitrary code execution, it would mean that root > could execute arbitrary code via the system bus... not a huge problem. > But still undesirable. > > What do you think? Should we update this on core-updates? Should we > graft it on master? > > Leo Famulari (1): > gnu: dbus: Update to 1.10.12. > > gnu/packages/glib.scm | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) Excuse my ignorance, but when is a patch considered significant enough to be updated on core-updates instead of master? Put another way, what is the purpose of core-updates?